
©DefensiveOriginsLLCC0320.16–APTOpticsInfrastructure–EventHandlers
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WorkingwithEventSubscriptions
AuditPolicy
Microsoftrecommendsthefollowing:
• Anti-Malware
• ProcessCreation
• RegistryChanges
• OSStartup/Shutdown
• ServiceInstalls
• CAAuditEvents
• UserProfileEvents
• ServiceStart/Failure
• NetworkShareEvents(sans IPC$events)
• RDSSessionEvents
• EMETEvents
...andsomuchmore...as a baseline...plusthe"suspectsystem/server"baselines
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-sept2019update-for-windows-10-v1903-and/ba-p/890940
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
AFewImportantEventIDs
4624and4634(Logon/Logoff)
4662(ACL’dobjectaccess-Auditreq.)
4688(processlaunchandusage)
4698and4702(tasks+XML)
4740and4625(AcctLockout+SrcIP)
5152,5154,5156,5157(FW-Noisy)
4648,4672,4673(SpecialPrivileges)
4769,4771(Kerberoasting)
5140with\\*\IPC$andsomanymore….